RBCommons and the Heartbleed SSL Vulnerability

April 9, 2014December 28, 2017 Christian Hammond

On April 7th, the world became aware of a critical vulnerability in the versions of OpenSSL powering much of the Internet. These were very serious problems that could allow attackers to gain access to certain confidential data on the server. This vulnerability is known as Heartbleed.

The vulnerability was, fortunately, found by security researchers, and companies like Red Hat and Amazon were quick to put out patched builds.

We take security very seriously, and rushed to update and replace our SSL certificates, ensuring our users would be safe in the off chance that anybody had decided to target us. We are not aware of any attempts on RBCommons, and want to keep it that way.

Even though we don’t believe anyone has targeted RBCommons, we still have a couple recommendations for you.

Reset your password, just to be safe. It might be a good time to evaluate whether you’re using a strong enough password, as well.
Turn on two-factor authentication. This will help keep your account secure, requiring a token code sent to your mobile phone in order to log in.

If you have any questions or concerns, please contact us.

RBTools 0.6 is released

April 7, 2014 Christian Hammond

RBTools 0.6 has just been released, and it’s a big one. We spent a lot of time simplifying the process for posting and updating review requests, and we think it’s going to make life a lot easier for just about everyone.

Posting using Git or Mercurial used to require dealing with --parent and --revision-range, along with our custom revision syntax. Now all you have to do is pass native revisions or revision ranges to rbt post, like so:

$ rbt post HEAD
$ rbt post main-branch..feature-branch
$ rbt post 123:126

Compare this to the old way of doing things:

$ rbt post --parent=HEAD^
$ rbt post --revision-range=main-branch:feature-branch
$ rbt post --revision-range=123:126

We’ve also improved how “guessing” descriptions and summaries from commits work. In previous versions, you needed to run rbt post -g to enable guessing, but in 0.6, it’s now automatic for new review requests. This means less typing and less work to do.

That behavior can also be changed through new GUESS_FIELDS settings in .reviewboardrc. This is covered more in the documentation.

A few other goodies:

Feature and performance improvements for Mercurial
Git repository hook scripts for auto-closing review requests and requiring approval for pushes
Many new configuration options

And more.

A couple important notes. We’ve removed support for the old post-review tool. Running post-review will now tell you to use rbt post instead.

We’ve also removed support for Python 2.4. You will now need 2.5 or higher. We strongly recommend that everybody upgrades to Python 2.7.

See the release notes for the complete list of changes.

Two-factor authentication is now available!

April 3, 2014December 28, 2017 Christian Hammond

For the past month, we’ve been testing support for two-factor authentication for user accounts, and are happy to announce that it’s ready!

Two-factor authentication adds a layer of security to your accounts by requiring that you have your mobile device (cell phone or tablet) with you when logging in. Any time you log into RBCommons, a temporary token code will be sent to your device over text message, or generated by a token generator app.

This token code will be required alongside your username and password. If a malicious hacker tries to log into your account, they’ll need your mobile device or they’ll be out of luck. So keep that safe!

Enabling two-factor authentication

It only takes a minute to enable two-factor authentication on your account. Simply:

Go to your My Account page and click “Authentication” on the left.
Click “Enable two-factor authentication” on the right.
Choose whether to use a token generator app, like Google Authenticator (recommended), or to receive text messages on your cell number (carrier rates may apply).
Depending on your choice, you’ll receive a simple set of instructions for getting set up.

You’ll receive your first generated token, which will be used to verify that everything was set up correctly.

After you enable two-factor authentication, you’ll have the opportunity to set a secondary phone number to use in case you lose your primary mobile device or app settings. We highly recommend that you do this, especially if you’re using a token generator app.

Download your backup tokens!

If you’re ever locked out of your account due to a lost or broken phone or tablet, you’ll need a backup token to get back in. These are a pre-generated set of token codes that you can use when logging in.

After you enable two-factor authentication, click “View Backup Tokens.” You may have to verify your password and auth token the first time. Then, follow the instructions to generate your set of backup tokens.

Make sure you save these somewhere safe!

Upgrade RBTools

You’ll need a modern version of RBTools.

If you’re running 0.5.3 or higher, you’re fine, and will receive an authentication token the next time you have to log in through RBTools.

If you’re running an older version, it’s time to upgrade! We’re continually making improvements to RBTools. Speaking of that, watch this space for a new, major RBTools release announcement, coming soon!